Denonia malware may be first to target AWS Lambda

A newly discovered malware, dubbed Denonia after the domain name used by its operators, may be the first case of malware specifically targeted Amazon Web Services (AWS) Lambda environments, according to the researchers at Cado Labs, who first spotted it in the wild.

Cado’s Matt Muir, Chris Doman, Al Carchrie and Paul Scott said that while Denonia may appear relatively innocuous, because it only runs cryptomining software, it uses cutting-edge technigques to evade standard detection methods and virtual network access controls, and demonstrates how malicious actors are using cloud-specific knowledge to exploit complex infrastructures, pointing the way to future, more damaging attacks.

They said Lambda – which is a serverless, event-driven compute service that lets users run code for virtually any kind of app or backend service without having to provision or manage a server – may prove particularly vulnerable to malwares.

“Organisations – both large and small – are increasingly leveraging Lambda serverless functions,” they said in a disclosure notice. “From a business agility perspective, serverless has significant benefits. However, short runtime durations, the sheer volume of executions, and the dynamic and ephemeral nature of Lambda functions can make it difficult to detect, investigate and respond to a potential compromise.”

Denonia is coded in the Go, aka Golang, programming language, and contains a customised variant of the XMRig cryptominer, coupled with some as-yet unknown functions. Go malwares are becoming increasingly favoured by malicious actors, they said, due to various specific functions, and some characteristics of the language that can be challenging for ethical hackers to analyse.

Muir’s team said although their analysis found Denonia was clearly designed to execute specifically within Lambda environments, they had been unable to confirm how it was spread, although they speculated it may be manually deployed via compromised AWS Access and Secret Keys.

They also noted that while Denonia specifically expects to run in Lambda, it is possible for it to run in other Linux environments – this is likely because Lambda serverless environments run Linux under the bonnet, so when the team ran it in its sandbox it still believed it was running in Lambda.

The researchers said the first sample they had found dated from the end of February, but they have since found a second sample uploaded to VirusTotal in January.

In response, Cado has added the ability to investigate and remediate Denonia for both AWS ECS and AWS Lambda environments to its Cado Response platform.

The full disclosure notice, including more in-depth analysis, screenshots, and indicators of compromise (IoCs), can be found at Cado’s website.

Cado’s team confirmed they had made a full disclosure to AWS but that the organisation had not yet responded, beyond to confirm its receipt.

An AWS spokesperson said: “Lambda is secure by default, and AWS continues to operate as designed. Customers are able to run a variety of applications on Lambda, and this is otherwise indistinguishable to discovering the ability to run similar software in other on-premises or cloud compute environments. That said, AWS has an acceptable use policy (AUP) that prohibits the violation of the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device, and anyone who violates our AUP will not be allowed to use our services.”

AWS also rejected Cado's depiction of Denonia as a malware. The spokesperson said: “The software described by the researcher does not exploit any weakness in Lambda or any other AWS service. Since the software relies entirely on fraudulently obtained account credentials, it is a distortion of facts to even refer to it as malware because it lacks the ability to gain unauthorized access to any system by itself. What’s more, the researchers even admit that this software does not access Lambda, and that when run outside of Lambda in a standard Linux server environment, the software performed similarly.

“It is also important to note that the researchers clearly say in their own blog that Lambda provides enhanced security over other compute environments in their own blog: ‘under the AWS Shared Responsibility model, AWS secures the underlying Lambda execution environment but it is up to the customer to secure functions themselves’ and ‘the managed runtime environment reduces the attack surface compared to a more traditional server environment’.”

As noted above, Linux-based cloud services are becoming increasingly susceptible to cyber attack thanks to its widespread use, with a recent VMware study finding concerning evidence that security products and teams were lagging some distance behind malicious actors.

The report, Exposing malware in Linux-based multicloud environments, said current countermeasures are too heavily focused on addressing Windows-based threats, with the effect that many public and private cloud deployments are left vulnerable to attacks that would otherwise be easy to stop.

This article was updated at 10:20am on Friday 8 April to include comments from AWS.